Energetic Bear

Energetic Bear is a cyber espionage group that has been active since at least 2011. This group initially targeted defense and aviation companies, but shifted focus on the energy industry in early 2013. This group has also targeted companies related to industrial control systems. A similar group emerged in 2015 and was identified as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence for these to be tracked as two separate groups.

Other names for this threat

ALLANITE, Crouching Yeti, Dragonfly, ELECTRUM, Group 24, Havex, IRON LIBERTY, Koala Team, Palmetto Fusion

The following is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Suspicious DNS Request - Energetic Bear Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes.

Recommendation

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Compromise Infrastructure - T1584
  • Domains - T1584.001

Suspicious Process - Energetic Bear Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - Energetic Bear Related Domain Observed

Description

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes.

Recommendation

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Virtual Private Server - T1583.003
  • Server - T1583.004
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
  • Virtual Private Server - T1584.003
  • Server - T1584.004